Microsoft revealed on Tuesday that the latest round of attacks targeting the SolarWinds Serv-U managed file transfer service with a now-patched remote code execution (RCE) exploit is the work of a Chinese actor nicknamed “DEV -0322 “.
The revelation comes days after the Texas-based computer monitoring software maker released fixes for the flaw that could allow adversaries to remotely execute arbitrary code with privileges, allowing them to perform actions such as as installing and running malicious payloads or viewing and modifying sensitive data.
Track as CVE-2021-35211, the RCE flaw lies in Serv-U’s implementation of the Secure Shell (SSH) protocol. Although it was previously revealed that the attacks were of limited scope, SolarWinds said it “did not know the identities of potentially affected customers.”
Attributing the intrusions with great confidence to DEV-0322 (short for “Development Group 0322”) based on the victimology, tactics and procedures observed, the Microsoft Threat Intelligence Center (MSTIC) said the adversary had distinguished US sector entities of the defense industrial base and software companies.
“This business group is based in China and has been observed using commercial VPN solutions and consumer routers compromised in their attacker infrastructure. ” according to to MSTIC, which discovered on day zero after detecting up to six anomalous malicious processes generated by the main Serv-U process, suggesting a compromise.
The development also marks the second time that a China-based hacking group has exploited vulnerabilities in SolarWinds software as fertile ground for targeted attacks against corporate networks.
In December 2020, Microsoft revealed that a separate spy group may have taken advantage of the IT infrastructure provider’s Orion software to remove a persistent backdoor called Supernova on infected systems. The intrusions have since been blamed on a threatening actor linked to China called Spiral.
Additional indicators of compromise associated with the attack can be accessed from the revised SolarWinds advisory. here.